amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

gnu: yajl: Patch CVE-2023-33460.

Browse source 
* gnu/packages/patches/yajl-CVE-2023-33460.patch: Add file.
* gnu/local.mk: Record patch.
* gnu/packages/web.scm (yajl)[source]: Record patch.

Signed-off-by: Zheng Junjie <z572@z572.online>
This commit is contained in:
Nicolas Graves 2025-03-07 19:28:16 +01:00 committed by Zheng Junjie
parent 142a3d5177
commit 788e3b87a7
No known key found for this signature in database
GPG key ID: 3B5AA993E1A2DFF0
3 changed files with 42 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -2474,6 +2474,7 @@ dist_patch_DATA = \
%D%/packages/patches/xterm-370-explicit-xcursor.patch \
%D%/packages/patches/xygrib-fix-finding-data.patch \
%D%/packages/patches/xygrib-newer-proj.patch \
%D%/packages/patches/yajl-CVE-2023-33460.patch \
%D%/packages/patches/yggdrasil-extra-config.patch \
%D%/packages/patches/zig-0.9-build-respect-PKG_CONFIG-env-var.patch \
%D%/packages/patches/zig-0.9-fix-runpath.patch \

38
gnu/packages/patches/yajl-CVE-2023-33460.patch Normal file
View file

@ -0,0 +1,38 @@
Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
Bug: https://github.com/lloyd/yajl/issues/250
---
src/yajl_tree.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/yajl_tree.c b/src/yajl_tree.c
index 3d357a32..56c7012f 100644
--- a/src/yajl_tree.c
+++ b/src/yajl_tree.c
@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
ctx->stack = stack->next;
v = stack->value;
-
+ free (stack->key);
free (stack);
return (v);
@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
YA_FREE(&(handle->alloc), internal_err_str);
}
+ while(ctx.stack != NULL) {
+ yajl_val v = context_pop(&ctx);
+ yajl_tree_free(v);
+ }
yajl_free (handle);
+ //If the requested memory is not released in time, it will cause memory leakage
+ if(ctx.root)
+ yajl_tree_free(ctx.root);
return NULL;
}

4
gnu/packages/web.scm
View file

@ -1749,7 +1749,9 @@ C.")
(file-name (git-file-name name version))
(sha256
(base32
"00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))))
"00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))
(patches
(search-patches "yajl-CVE-2023-33460.patch"))))
(build-system cmake-build-system)
(arguments
'(#:phases